Hate automatic software updates? You're not alone

Criminals use ransomware to extort money from individual users and big businesses.
Time

A window announcing the encryption of data including a requirement to pay appears on an electronic timetable display at the railway station in Chemnitz, eastern Germany, on May 12, 2017.
A fast-moving wave of cyberattacks swept the globe, apparently exploiting a flaw exposed in documents leaked from the US National Security Agency. Affected by the onslaught were computer networks at hospitals in Britain, Russia's interior ministry, the Spanish telecom giant Telefonica, the US delivery firm FedEx, German railway operator Deutsche Bahn and many other organizations.(Photo: P. Goetzelt, AFP/Getty Images)

SAN FRANCISCO – Grit your teeth and let your computer update itself. That’s the advice of security experts, who say consumers should welcome those updates because they serve a crucial purpose highlighted by the victims of the WannaCry ransomware attack.

In a world where computers and the software that runs them are under near-constant assault, updates allow companies like Microsoft, Apple and Google to keep customers safe — to the annoyance of many users.

“Think of this whole thing between the hackers and us, the average people, as an arms race. The hackers find a vulnerability, the companies find something to counter it,” said John Otero, a professor at St. John’s University's computer security program.

But too many consumers turn off updates or refuse to install them when they pop up, either because they like their programs as they are, or because they fear the updates themselves may be malicious, or simply because it's too much work or downtime.

A software update notice on a Macintosh computer.(Photo: Elizabeth Weise)

A study by the Pew Research Center in January found that 14% of consumers never updated their smartphone’s operating system and 42% waited “until it was convenient.”

Younger users seem to be more onboard with updates. Pew found that 48% of younger users, 18- to 29-year-olds, had their smartphones set to automatically install updates when they were available. But 13% still said they never updated their systems.

Microsoft significantly changed its update model with its Windows 10 operating system by allowing for automatically installed updates, with some flexibility about timing on the part of the user. Major upgrades can only be deferred for 180 days, with a 60-day grace period. And in a change from the past, its weekly security patches are now bundled together, whereas it used to be possible to choose which to install.

Many of the computers affected by WannaCry were running the Windows XP operating system, which couldn't initially be patched because Microsoft stopped supporting the program in 2014 except for a high fee. In the case of WannaCry, Microsoft took the unusual step of issuing a free patch for Windows XP machines due to the severity of the threat.

“Apple used to only update their software once a year and now they do it monthly, mostly for security patches. Microsoft used to be able to go a year for a big update,” said Daniel Ladik, a professor who specializes in digital marketing at Seton Hall University in South Orange, NJ.

Those ever-more-frequent updates also often include a mix of both security and general software changes — to the frustration of users. They complain some updates force them to reset preferences or that the updates cause crashes. The frequency and glitches have given updates a bad name, leading some consumers to ignore these persistent reminders.

Sometimes settings change, “so suddenly you’re getting push notifications even though you had them turned off so you've got to go back in and reset everything," said Ladik.

That's the challenge for the technology industry: To keep consumer data safe, software makers need to convince users to constantly maintain their programs. But the more they interrupt consumers, who are increasingly tethered to their smart devices, the less these consumers want to play along.

Google thinks it’s less a reluctance to install updates and more just not wanting to be hassled.

“No one wants to be interrupted in the middle of doing a task they’re concentrating on to pause and deal with something totally unrelated,” said Parisa Tabriz, a Google Chrome security expert. That's why the Chrome operating system is automatically updated, she said.

Grady Summers, chief technology officer with security company FireEye, thinks the fear of installing something that will crash a system or brick a device is overinflated, especially compared to the danger of getting hacked.

“The risk is minuscule compared to the risk you run by not patching. Companies like Microsoft and Google extensively test updates for compatibility. Unless you’re running very specialized software, you shouldn’t be concerned,” he said.

This leads to a mismatch between security concerns and consumer concerns.

Ladik tends to be of the ‘if you’re unsure, don’t do it,’ school of thought, figuring that for most devices he can skip somewhere between three and five updates before they stop working.

That outlook drives security professionals to distraction.

“The inconvenience experienced from potential changes due to patching is a fraction of the hassle involved in recovering from a compromise. Take the medicine, it’s far better than the disease,” said John Bock, a vice president of application security at Optiv, a computer security company.

Users don't always see it that way. "Sometimes the medicine is worse than the disease itself,” said Otero, a former commanding officer in the New York Police Department’s computer security unit.

To his mind, updates make sense for businesses, because they have a tech staff and can test systems when they install updates.Consumers don’t have that luxury. So he often waits a few days when an update comes out, keeping an eye on what others are writing online about the new code.

“Sometimes you’ll go on and see a couple of hundreds of people saying the same thing — ‘Don’t do it! It will break!'” said Otero.

Security experts say the reality is that most people don't remember to update. And waiting is becoming increasingly less safe.

“As attackers become more sophisticated and more automated, the time it takes them to exploit unpatched systems shrinks significantly. This means the risk of not auto-updating systems goes up in comparison to using an update that has not been verified in the field,” said Ayal Yogev, vice president of product management at SafeBreach.

How to give users choice

One solution would be for companies to separate security updates from program updates. That would let users choose security immediately but give them control over when they want to automatically update other aspects of programs or operating systems, said Cooper Quintin, a staff technologist with the Electronic Frontier Foundation, a San Francisco-based digital advocacy group.

"The branding of automatic updates has been severely tarnished in the public eye because of updates that break things or that drastically change the program,” he said.

Posted!

A link has been posted to your Facebook feed.

A programmer shows a sample of a ransomware cyberattack on a laptop in Taipei, Taiwan, on May 13, 2017. According to news reports, a 'WannaCry' ransomware cyberattack hit thousands of computers in 99 countries encrypting files from affected computer units and demanding 300 US dollars through bitcoin to decrypt the files.
Ritchie B. Tongo, European Pressphoto Agency

Tom Bossert, White House homeland security and counterterrorism adviser, speaks about the recent cyberattacks during a daily news briefing in the Brady Press Briefing Room at the White House in Washington on May 15, 2017.
Saul Loeb, AFP/Getty Images

An electronic display calls on travelers to watch the analogue timetable at the main railway station in Frankfurt am Main, Germany, on May 13, 2017.
A fast-moving wave of cyber attacks swept the globe, apparently exploiting a flaw exposed in documents leaked from the National Security Agency. Affected by the onslaught were computer networks at hospitals in Britain, Russia's interior ministry, the Spanish telecom giant Telefonica, the delivery company FedEx, German railway operator Deutsche Bahn and many other organizations.
Boris Roessler, AFP/Getty Images

Employees watch an electronic board to monitor possible ransomware cyberattacks at the Korea Internet and Security Agency (KISA) in Seoul on May 15 2017. The notorious WannaCry ransomware, a type of malware that locks up files on a computer until victims pay a certain amount of money to hackers, struck South Korea's top theater chain CJ CGV the same day, industry sources said.
Yonhap via European Pressphoto Agency

Patients wait near a queue number dispenser affected by the "WannaCry" attack at Dharmais Cancer Hospital in Jakarta, Indonesia, on May 15, 2017. Global cyber chaos was spreading Monday as companies booted up computers at work following the weekend's worldwide "ransomware" cyberattack. The extortion scheme created chaos in 150 countries and could wreak even greater havoc as more malicious variations appear.
Dita Alangkara, AP

Indonesian patients and relatives wait for their turn at the registration counter of the Dharmais Hospital, after the hospital's information system has been affected by a computer virus in Jakarta, Indonesia, on May 15 2017. According to media reports, the cancer hospital has been hit by the 'WannaCry' ransomware disturbing the service to the patients.
Mast Irham, European Pressphoto Agency

A journalist at work reads online news articles about cyber attacks, in Istanbul on May 15, 2017. According to reports, thousands of people were affected from a global cyberattack in the last two days.
Sedat Suna, European Pressphoto Agency

A display panel with an error can be seen at the main railway station in Chemnitz, Germany. Germany's national railway says that it was among the organizations affected by the global cyberattack but there was no impact on train services. Deutsche Bahn said early that departure and arrival display screens at its stations were hit May 12, 2017, by the attack.
P. Goezelt, dpa via AP

A close-up view of Britain's National Health Service (NHS) website with a cyberattack warning, as seen on a laptop in London on May 13, 2017. According to a statement by the NHS, a number of hospital's and institutions operated by Britain's NHS were been hit by a large-scale ransomware cyberattack called 'WannaCry', causing failures to computer systems.
Andy Rain, European Pressphoto Agency